ResearchBuzz: FirehoseMashable: Tired of cookie consent pop-ups? You soon may see less of them.. “The European Commission is currently looking into relaxing a 2009 EU law that has inadvertently led to the endless cookie consent pop-ups around the web. The law, called the e-Privacy Directive, requires websites to request consent from users before loading cookies on their computer or mobile device.”
Kevin Karhan 
@stman OFC #Browsers are the prime attack vector since we as users allowed Turing-complete #RemoteCodeExecution inside of it aka. #JavaScript.
- "#CookieStealer" are obviously impervious to #MFA as they literally copy valid #SessionCookies.
This is the way #Skiddies on #discord "hack" each other for over a decade now...
@Tarnport +9001%
There are no "legitimate interests" and every site that mandates #Cookies and #JavaScript has given up on #Accessibility and #DataProtection.
- And even if there were legitimate reasons those didn't need consent (cuz #GDPR acknowledges shit like #SessionCookies exist!) so that isn't a problem either!
The DefendOps DiariesA seemingly harmless Chrome extension can now hijack your digital keys—stealing Azure session cookies and bypassing MFA. Curious how this stealthy Cookie-Bite attack works and what you can do to stay secure?
https://thedefendopsdiaries.com/understanding-and-mitigating-the-cookie-bite-attack/
#cookiebiteattack
#azuresecurity
#sessioncookies
#cyberthreats
#microsoft365security
Tedi HeriyantoLearn how Slack automatically detect stolen session cookies: https://slack.engineering/catching-compromised-cookies/
Catching Compromised Cookies - Slack Engineering
Slack uses cookies to track session states for users on slack.com and the Slack Desktop app. The ever-present cookie banners have made cookies mainstream, but as a quick refresher, cookies are a little piece of client-side state associated with a website that is sent up to the web server on every request. Websites use this …
Bob CarverGoogle fighting back against session hijackers: stolen cookies to be worthless
https://cybernews.com/tech/google-fighting-against-session-hijackers-cookies/ #cybersecurity #gmail #youtube #sessioncookies
https://cybernews.com/tech/google-fighting-against-session-hijackers-cookies/ #cybersecurity #gmail #youtube #sessioncookies
Hella (old account)@11110110101 @heiseonline
Wenn ich das Original (https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking) richtig lese, besteht das Problem nur für schon geknackt Accounts. Vermutlich hilft MFA, damit es gar nicht so weit kommt?
Sonst:
"If you suspect your account may have been compromised, or as a general precaution, sign out of all browser profiles to invalidate the current session tokens. Following this, reset your password and sign back in to generate new tokens."
ronin-rbSneak peek at the new ronin-web session-cookie command coming in ronin-web-1.1.0:
$ ./bin/ronin-web session-cookie "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
$ ./bin/ronin-web session-cookie --verbose "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
Type: JWT
Header:
{
"alg": "HS256",
"typ": "JWT"
}
Params:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
HMAC: "I\xf9J\xc7\x04IH\xc7\x8a(\\\x90O\x87\xf0\xa4\xc7\x89\x7f~\x8f:N\xb2%V\x9dB\xcb0\xe5"
postmodern@wilson I had to figure out Django's weird "project" vs. "app" design, and wire up a "view" to set a "session variable" which apparently you do by modifying request.session, and set SESSION_ENGINE to ' django.contrib.sessions.backends.signed_cookies', but I finally got it:
Set-Cookie: sessionid=eyJmb28iOiJiYXIifQ:1pQcTx:UufiSnuPIjNs7zOAJS0UpqnyvRt7KET7BVes0I8LYbA; expires=Fri, 24 Feb 2023 23:07:05 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
The first part of the session cookie is the Base64 JSON serialized session variables. Second part appears to be the request ID or some kind of counter, and the third parts must be related to the HMAC:
If I set SESSION_SERIALIZER to 'django.contrib.sessions.serializers.PickleSerializer' (which is apparently getting removed in 5.0, but is probably still used), I get the pickled session variables:
Set-Cookie: sessionid=gAWVEAAAAAAAAAB9lIwDZm9vlIwDYmFylHMu:1pQcay:RjaK8DKN4xXQ_APIXXWEyFS08Q-PGo6UlRBFpedFk9M; expires=Fri, 24 Feb 2023 23:14:20 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
Why is it so hard to get an example of what a Set-Cookie session cookie header looks like for Django? No, I don't want to know how to use cookies in a Django app, I want to see the raw HTTP output. I swear Google is getting worse.
Edit: appears that I'm specifically looking for an example output of django.contrib.sessions.serializers.PickleSerializer or django.contrib.sessions.backends.signed_cookies, not the standard sessionid=....
#django #http #sessioncookies